x86/efistub: Omit physical KASLR when memory reservations exist

PlaidCat · PlaidCat · commit aaf3e1dfd539 · 2025-09-04T12:05:23.000-04:00
jira LE-4066 Rebuild_History Non-Buildable kernel-4.18.0-553.72.1.el8_10 commit-author Ard Biesheuvel <ardb@kernel.org> commit 15aa8fb Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.72.1.el8_10/15aa8fb8.failed The legacy decompressor has elaborate logic to ensure that the randomized physical placement of the decompressed kernel image does not conflict with any memory reservations, including ones specified on the command line using mem=, memmap=, efi_fake_mem= or hugepages=, which are taken into account by the kernel proper at a later stage. When booting in EFI mode, it is the firmware's job to ensure that the chosen range does not conflict with any memory reservations that it knows about, and this is trivially achieved by using the firmware's memory allocation APIs. That leaves reservations specified on the command line, though, which the firmware knows nothing about, as these regions have no other special significance to the platform. Since commit a1b87d5 ("x86/efistub: Avoid legacy decompressor when doing EFI boot") these reservations are not taken into account when randomizing the physical placement, which may result in conflicts where the memory cannot be reserved by the kernel proper because its own executable image resides there. To avoid having to duplicate or reuse the existing complicated logic, disable physical KASLR entirely when such overrides are specified. These are mostly diagnostic tools or niche features, and physical KASLR (as opposed to virtual KASLR, which is much more important as it affects the memory addresses observed by code executing in the kernel) is something we can live without. Closes: https://lkml.kernel.org/r/FA5F6719-8824-4B04-803E-82990E65E627%40akamai.com Reported-by: Ben Chaney <bchaney@akamai.com> Fixes: a1b87d5 ("x86/efistub: Avoid legacy decompressor when doing EFI boot") Cc: <stable@vger.kernel.org> # v6.1+ Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Ard Biesheuvel <ardb@kernel.org> (cherry picked from commit 15aa8fb) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # arch/x86/boot/compressed/eboot.c
diff --git a/ciq/ciq_backports/kernel-4.18.0-553.72.1.el8_10/15aa8fb8.failed b/ciq/ciq_backports/kernel-4.18.0-553.72.1.el8_10/15aa8fb8.failed
@@ -0,0 +1,142 @@
+x86/efistub: Omit physical KASLR when memory reservations exist
+
+jira LE-4066
+Rebuild_History Non-Buildable kernel-4.18.0-553.72.1.el8_10
+commit-author Ard Biesheuvel <ardb@kernel.org>
+commit 15aa8fb852f995dd234a57f12dfb989044968bb6
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.72.1.el8_10/15aa8fb8.failed
+
+The legacy decompressor has elaborate logic to ensure that the
+randomized physical placement of the decompressed kernel image does not
+conflict with any memory reservations, including ones specified on the
+command line using mem=, memmap=, efi_fake_mem= or hugepages=, which are
+taken into account by the kernel proper at a later stage.
+
+When booting in EFI mode, it is the firmware's job to ensure that the
+chosen range does not conflict with any memory reservations that it
+knows about, and this is trivially achieved by using the firmware's
+memory allocation APIs.
+
+That leaves reservations specified on the command line, though, which
+the firmware knows nothing about, as these regions have no other special
+significance to the platform. Since commit
+
+  a1b87d54f4e4 ("x86/efistub: Avoid legacy decompressor when doing EFI boot")
+
+these reservations are not taken into account when randomizing the
+physical placement, which may result in conflicts where the memory
+cannot be reserved by the kernel proper because its own executable image
+resides there.
+
+To avoid having to duplicate or reuse the existing complicated logic,
+disable physical KASLR entirely when such overrides are specified. These
+are mostly diagnostic tools or niche features, and physical KASLR (as
+opposed to virtual KASLR, which is much more important as it affects the
+memory addresses observed by code executing in the kernel) is something
+we can live without.
+
+Closes: https://lkml.kernel.org/r/FA5F6719-8824-4B04-803E-82990E65E627%40akamai.com
+	Reported-by: Ben Chaney <bchaney@akamai.com>
+Fixes: a1b87d54f4e4 ("x86/efistub: Avoid legacy decompressor when doing EFI boot")
+	Cc:  <stable@vger.kernel.org> # v6.1+
+	Reviewed-by: Kees Cook <keescook@chromium.org>
+	Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+(cherry picked from commit 15aa8fb852f995dd234a57f12dfb989044968bb6)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	arch/x86/boot/compressed/eboot.c
+diff --cc arch/x86/boot/compressed/eboot.c
+index 5df189735432,8ac4ac9fddef..000000000000
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@@ -858,11 -772,29 +858,31 @@@ static void efi_get_seed(void *seed, in
+  
+  static void error(char *str)
+  {
+ -	efi_warn("Decompression failed: %s\n", str);
+ +	efi_printk(sys_table, "Decompression failed: ");
+ +	efi_printk(sys_table, str);
+ +	efi_printk(sys_table, "\n");
+  }
+  
++ static const char *cmdline_memmap_override;
++ 
++ static efi_status_t parse_options(const char *cmdline)
++ {
++ 	static const char opts[][14] = {
++ 		"mem=", "memmap=", "efi_fake_mem=", "hugepages="
++ 	};
++ 
++ 	for (int i = 0; i < ARRAY_SIZE(opts); i++) {
++ 		const char *p = strstr(cmdline, opts[i]);
++ 
++ 		if (p == cmdline || (p > cmdline && isspace(p[-1]))) {
++ 			cmdline_memmap_override = opts[i];
++ 			break;
++ 		}
++ 	}
++ 
++ 	return efi_parse_options(cmdline);
++ }
++ 
+  static efi_status_t efi_decompress_kernel(unsigned long *kernel_entry)
+  {
+  	unsigned long virt_addr = LOAD_PHYSICAL_ADDR;
+@@@ -890,9 -822,14 +910,13 @@@
+  		 *
+  		 * https://bugzilla.kernel.org/show_bug.cgi?id=218173
+  		 */
+ -		if (efi_system_table->hdr.revision <= EFI_2_00_SYSTEM_TABLE_REVISION &&
+ +		if (sys_table->hdr.revision <= EFI_2_00_SYSTEM_TABLE_REVISION &&
+  		    !memcmp(efistub_fw_vendor(), ami, sizeof(ami))) {
+ -			efi_debug("AMI firmware v2.0 or older detected - disabling physical KASLR\n");
+  			seed[0] = 0;
++ 		} else if (cmdline_memmap_override) {
++ 			efi_info("%s detected on the kernel command line - disabling physical KASLR\n",
++ 				 cmdline_memmap_override);
++ 			seed[0] = 0;
+  		}
+  
+  		boot_params_ptr->hdr.loadflags |= KASLR_FLAG;
+@@@ -988,7 -901,33 +1012,37 @@@ void __noreturn efi_main(struct efi_con
+  
+  	status = efi_setup_5level_paging();
+  	if (status != EFI_SUCCESS) {
+++<<<<<<< HEAD:arch/x86/boot/compressed/eboot.c
+ +		efi_printk(sys_table, "efi_setup_5level_paging() failed!\n");
+++=======
++ 		efi_err("efi_setup_5level_paging() failed!\n");
++ 		goto fail;
++ 	}
++ 
++ #ifdef CONFIG_CMDLINE_BOOL
++ 	status = parse_options(CONFIG_CMDLINE);
++ 	if (status != EFI_SUCCESS) {
++ 		efi_err("Failed to parse options\n");
++ 		goto fail;
++ 	}
++ #endif
++ 	if (!IS_ENABLED(CONFIG_CMDLINE_OVERRIDE)) {
++ 		unsigned long cmdline_paddr = ((u64)hdr->cmd_line_ptr |
++ 					       ((u64)boot_params->ext_cmd_line_ptr << 32));
++ 		status = parse_options((char *)cmdline_paddr);
++ 		if (status != EFI_SUCCESS) {
++ 			efi_err("Failed to parse options\n");
++ 			goto fail;
++ 		}
++ 	}
++ 
++ 	if (efi_mem_encrypt > 0)
++ 		hdr->xloadflags |= XLF_MEM_ENCRYPTION;
++ 
++ 	status = efi_decompress_kernel(&kernel_entry);
++ 	if (status != EFI_SUCCESS) {
++ 		efi_err("Failed to decompress kernel\n");
+++>>>>>>> 15aa8fb852f9 (x86/efistub: Omit physical KASLR when memory reservations exist):drivers/firmware/efi/libstub/x86-stub.c
+  		goto fail;
+  	}
+  
+* Unmerged path arch/x86/boot/compressed/eboot.c
